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Given a constraint c assumed to hold on a database 
B and an update u to be performed on _B, we ad- 
dress the foUowing question: wiU c still hold after u 
is performed? When i? is a relational database, we 
define a confluent terminating rewriting system which, 
starting from c and m, automatically derives a simpli- 
fied weakest precondition wp{c, u) such that, whenever 
B satisfies wp{c,u), then the updated database u{B) 
will satisfy c, and moreover wp{c, u) is simplified in 
the sense that its computation depends only upon the 
instances of c that may be modified by the update. 
We then extend the definition of a simplified wp{c, u) 
to the case of deductive databases; we prove it using 
fixpoint induction. 

Keywords: Database updates, integrity constraints, 
weakest preconditions, program verification and sim- 
plification. 



1 Introduction 

We assume a constraint c, given by a universal sen- 
tence, on a database B and an update u to be per- 
formed on B, and we address the following question: 
will c still hold after u is performed? When i3 is a 
relational database, we define a terminating rewriting 
system which, starting from c and u, automatically 
derives a simplified weakest precondition wp{c, u) such 
that, 1. whenever B satisfies ■wp{c,u), then the up- 
dated database u{B) will satisfy c, 2. wp{c, u) is the 
weakest such precondition, and 3. the computation of 
wp{c, u) depends only upon the instances of c that may 
be modified by the update. The definition of a weak- 
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est precondition wp{c, u) ensuring the safety of update 
u with respect to constraint c extends easily to deduc- 
tive databases with recursive rules and constraints, and 
even updates which can add (delete) recursive rules. 
When the update is an insertion update, we give an 
algorithm which defines a simplified weakest precon- 
dition. We will abbreviate weakest precondition into 
wp. 

A large amount of research work has been devoted 
to optimizing the verification of integrity constraints 
at transaction commit. These optimizing efforts use 
the fact that the constraints are verified when the 
transaction starts, so that the evaluation can focus 
on those constraints which can be violated by the up- 
dates and on the data relevant to the updates and to 
the constraints. Work in this area started for rela- 
tional databases with techniques to simplify domain- 
independent first-order formula [N82]. More recently, 
techniques based on propagating updates through the 
rules of deductive databases have been developed 
[BDM88, SK88, LST87]. These methods are well- 
understood by now; they have been tested in prototype 
implementations and start appearing in commercial 
products [V98]. [VBKL99] has shown that when gen- 
eral formulae are properly rewritten into rules defining 
intermediate predicates, and when update propagation 
is adequately formalized, the simplification approach 
can be seen as a special case of update propagation. 

However, these methods still involve computation 
at the end of the transaction, ft is sometimes claimed 
that, in practice, this negative effect on transaction 
commit time explains why integrity constraints are 
rarely used. While there are many applications where 
this is not true, such a negative effect is probably not 
acceptable in production systems where response time 
is critical. 

This is the reason why another line of research has 
been proposed. The objective is now to take into ac- 
count both the integrity constraints and the structure 
of the transaction program , to try and determine at 
compile-time whether executing the program can vi- 
olate this constraint or not. Early work in this line of 
research include [GM79, CB80, SS89]. For more recent 
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work, see [BS98, L95, L98, LTW93, M97]. 

To illustrate the differences between the two 
approaches, consider the constraint: 'forall x: 
p{x) li^'Y ^iid the transaction program (ex- 

pressed here in a Prolog-like syntax): ^prog{x) : 
—insert p{x), insert q{x).^ Running this program with 
X = a results in the insertion of both p{a) and q{a). 
Optimizing methods will avoid checking the constraint 
on the whole databases and will focus on the data rele- 
vant to the updates. A transaction compiling approach 
will determine at program or constraint compile-time 
that, executing pro,9(.T) with any parameter will never 
violate this constraint whatever instance is provided 
for X in prog{x), and no transaction-time activity will 
occur. 

Known theoretical results put a limit on what can 
be expected from such an approach [AHV95, BGL96]. 
Further, not all transaction programs are such that 
they can be proved compliant with the constraints at 
compile-time. However, (1) it is natural programming 
practice to write transaction programs as safe^ as pos- 
sible, and, (2) if the compile-time check fails, it is al- 
ways possible to resort to optimizing techniques. Fi- 
nally, simple examples like the one above indicate that 
it is worth attempting to design effective methods to 
prove the compliance of transaction programs with in- 
tegrity constraints. 

While predicate calculus appears today as the lan- 
guage of choice to express integrity constraints, the 
choice of an update language is more open. For in- 
stance, [GM79] or [BS98] focus on existing general- 
purpose programming languages, for which proving 
formal properties is notoriously difficult. In this pa- 
per, we follow [L95, L98, LTW93] by choosing a "pure" 
(no cut!) logic-programming based language, more 
easily amenable to proofs, in particular against con- 
straints expressed in predicate calculus. This choice 
remains practical for database systems, as they have 
a tradition of providing specific procedural languages, 
different from general-purpose programming languages 
(e.g., stored procedures). 

A second parameter is the degree of minimality of 
the language. While pure theory would tend to pre- 
fer a clean, mininal language, the design of effective 
methods is often facilitated by the use of additional 
programming contructs. This is in particular true of 
theorem proving techniques as clearly outlined by W. 
Bibel in [BLSB92]. In this paper, we add an if - 
then - else operator to the language of [LTW93]. 

In this paper, following the approach of [LTW93, 
L95, L98], we apply techniques coming from program 
verification and program transformations, see for in- 

^ A transaction program is safe if it preserves the truth of the 
constraints. 



Stance [D75, TS84, PP94, SS89]. Several approaches 
have been taken along these lines. One can either 
generate weakest preconditions, as in [LTW93, N82, 
BDM88, M97] or one can generate postconditions, as 
in [BS98]. Once the (pre or post)conditions are gener- 
ated, usually the task of verifying them is left to the 
user: hints to simplify the precondition are given in 
[LTW93], the decidability of checking the weakest pre- 
condition in relational databases is studied in [M97], 
while [N82] suggests a method for checking the pre- 
condition on only the relevant part of the database 
(e.g. the 'new' facts produced by an insertion update). 
[BS98] define post-conditions post{u. c) and they im- 
plement a theorem prover based approach to check the 
safety of updates at compile-time: it consists in prov- 
ing that post{u, c) c holds, as this is clearly a suffi- 
cient condition for ensuring that the update is safe. A 
different approach to the constraint preservation prob- 
lem has been studied in [BDA98]: it consists in con- 
structing generalized transaction schemes which ensure 
that classes of dynamic constraints are preserved. 
Contribution of the paper. It is twofold. 

1. In the case of relational databases, we define 
a terminating rewriting system which, starting from 
constraint c and update u automatically derives a wp 
ensuring the safety of the update; assuming that c 
holds, this wp is simplified into a formula which de- 
pends only upon those instances of subformulas of c 
that might be modified by the update. We prove that 
our simplified wp is simpler than the wp obtained in 
[LTW93, L95, L98] in the following sense: our simpli- 
fied wp is implied by the wp of [L98] , but the converse 
does not hold. 

2. For deductive databases allowing for recursion, we 
describe an algorithm computing an efficient simplified 
wp in the case of insertion updates. 

As soon as recursion is allowed, several problems 
come up: 1. it is undecidable to check if a transac- 
tion preserves a constraint [AHV95], 2. the wp is usu- 
ally not expressible in first-order logic [BGL96], and 
moreover, 3. if we want to ensure that both the wp 
and the constraint are expressed in the same language 
[BDM88, SK88, LST87, GSUW94, L98], we have to 
assume a language allowing for both negation and re- 
cursion, which severely limits efficient checking of the 
truth of the wp. Thus, we can only hope for special 
cases when the wp can be shown to hold and/or can 
be simplified. 

Our update language generalizes the language of 
[LTW93] and of [L98] by allowing for conditional up- 
dates; it is more expressive than SQL and the lan- 
guages of [BDM88, LST87, N82]: e.g. in the rela- 
tional case, in [BDM88], only elementary single fact 
insert /delete updates are considered, whilst we can in- 
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sert/dclete subsets defined by first-order formulas as 
in [BD88, LTW93, L95, L98]. Our simplified wp are 
simpler than the wp of [LTW93, L95, L98]. 

The paper is organized as follows: our update lan- 
guage is defined in section 2, the terminating rewrit- 
ing system deriving the simplified wp for relational 
databases is described in section 3, heuristics for treat- 
ing the deductive case are presented in section 4, and 
finally section 5 consists of a short discussion. 

2 Update language 

In the present section, we define our update language, 
which is a mild generalization of the update language 
of [LTW93], and we define the corresponding weakest 
preconditions. 

2.1 Definitions 

Let U be a coimtably infinite set of constants. 

1. a database (DB) S is a tuple {Ri, R2, Rn) 
where Ri is a finite relation of arity ki over U. The 
corresponding lower-case letters ri, r2, r„ denote 
the predicate symbols naming relations i?2, Rn'i 
they are called extensional predicates (or EDBs). 

2. an update u is a mapping from B = 
{Ri,R2,...,Rn) to u{B) = {R[,R'2,...,R'J where Ri 
and i?- have the same arity. 

3. a constraint c is a domain independent sentence 
(a closed first-order formula which is domain indepen- 
dent, see [T0S88, VGT87]). 

4. formula / is a precondition for update u and con- 
straint c if for every B, if B \= f then u{B) \= c. 

5. formula / is a weaker than formula g iff for every 
database B we have B \= g B \= f. Formula / is 
a weakest precondition for update u and constraint c, 
if it is weaker than every precondition for (u, c). 
Remark 1 In points 4 and 5 above, / is only a pre- 
condition for c, i.e. B \= f =^ u{B) \= c regardless of 
whether B \= c. 

Let i? be a relation in database B and let <l>(x) 
be a first-order formula with free variables x = 

• B' = B[R^ R'] denotes the result of substituting 
relation R' for relation R in B. 

• c[r —>■ rU4>\ (resp. c[r r — cj)]) denotes the result 
of substituting r{s) V (l){s) (resp. r(s) A -'<j){s)) for 
every occurrence of r(s) in c. 

• c[+r —^rUcf)] (resp. c[— r —^^rU (/)]) de- 
notes the result of substituting r(s) V (j){s) (resp. 
-■r(s) V (p{s)) for every positive^ (resp. negative) 
occurrence of r(s) in c. 

^An occurrence of r(s) is positive if it is within the scope of 
an even number of negations. It is negative otherwise. 



2.2 The update language 

Let $ be a first-order formula with free variables x 
and cond a first-order sentence which are domain in- 
dependent [T0S88, VGT87]. The instructions of our 
language are defined as follows. 
Definition 1 /i. foreach x : ^{x) do insertii{x) 
l2- foreach x : ^{x) do deleteR{x) 

13. If ii and 12 are instructions then {ii;i2) is an 
instruction; 

14. if cond then instl else inst2 is an instruc- 
tion. The alternative else inst2 is optional. 

For instance, adding tuple a in relation R, will be de- 
noted by foreach x : x = o do insert n{x). In the 
sequel, we will abbreviate it by: insert 11(a). Formula 
$ is called the qualification of the update. 

The update language of [LTW93] consists of instruc- 
tions Ii , I2 and /a . Our language is thus more user- 
friendly, because of the possibility of conditional up- 
dates defined in I4. Our language is equivalent to 
the language considered in [L98] : complex instructions 
such as 

foreach x : $(x) do (ii;i2) (1) 

where e.g. for j = 1,2, ij = foreach irj : $j(i5j) 
do insert (xj) will be expressed in our language by 
io;i'i]i'2 , where TEMP is a suitable, initially empty, 
temporary relation, and yj = x\ xj ior j = 1,2: 

io = foreach x : $(x) do insertTEMp{x) 
ij = foreach HcJ : (\fyj temp{x) A ^j{xj)^ do 
insert Rj{xj). 

Our language can be extended to allow for complex in- 
structions such as 1, as well as non sequential or par- 
allel combinations of updates (such as exchanging the 
values of two relations). On the other hand, I4 could 
also be simulated by several instructions of [LTW93]. 

We briefly describe the semantics of our update lan- 
guage. 7i (resp. 12) is executed by first evaluating <I>(x) 
thus producing the set of instances of x satisfying $(x) 
in B, and then inserting (resp. deleting) from R these 
instances of x. I3 is performed by executing first Ii 
and then J2. I4 is performed by evaluating condition 
cond on B, if cond is true instl is executed, otherwise 
inst2 is executed. Complex instructions suc;h as if 
cond then (211^2) else 13 are performed by evaluat- 
ing first cond and then, if e.g. cond is true, executing 
ii and then 12, regardless of whether cond holds after 
executing ii. 

Formally, the update [i\ (B) associated with instruc- 
tion i is defined by: 

1. [/ij (B) = B[R RU {x\B h $(^)}] 

2. [/2J (B) = B[R^R- {x\B h <^{x)}] 
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3. [I,\{B) ^ [^,\{[^,\iB)) 
A \ T \(T}\ — j linstl\{B) if B \= cond 
L^4j(-«j - I Lmst2j(B) if B[= -^cond 

To simplify, [iJ(-B) will be denoted by i{B). 

We can easily generalize the transformation of 
[LTW93] to obtain weakest preconditions for our lan- 
guage. 

Theorem 1 The formulas obtained by the weakest 
precondition transformation of [LTW93] and defined 
below in 1-4 are weakest preconditions for instructions 
h-h. 

1. t(;p(foreach x : do insert b.{x),c) = c[r — > 

r U $] ; 

2. i(;p(foreach x : <^{x) do delete nix), c) = c[t — > 
r - $], 

3. wp((n;i2),c) = wp{ii, {wp{i2,c)), 

4- 'wp{if cond then instl else inst2,c) = (cond/\ 
wp{instl, c)) V {^cond A wp{inst2, c)) . 
Example 1 1. Let c = Vx {r{x) q{x)) and let 
i = foreach x : p{x) do insertfi{x), then 

wp{i,c) = Vx{{r{x) W p(x)) q{x)) 

2. Let c = Vx{r{x) — > q{x)) and let i ~ {ii; where 

11 = foreach x : s{x) do deleteR^x) 

12 = foreach y : p(lj) do insert 

then 

wp{i,c) = wp{{ii;i2),c) = wp{ii,wp{i2,c)) 

= wp{ii,Vx{{r(x) W p{x)) — > q{x))) 
= \fx{{{r{x) A -^s{x)) \/ p{x)) q[x)) 

Remark 2 It is noted in [LTW93] that, for con- 
straints which are universal formulas in conjunc- 
tive normal form, one can take advantage of the 
fact that c holds in B to simplify wp into a wp' 
such that for all B satisfying c: B \= wp' 
B \= wp. Consider for instance the update i = 
foreach x : p{x) do insertR{x) of Example 1 1, with 
c = Vx {r{x) — > q{x)) then we can simplify wp{i, c) as 
follows 

wp{i,c) = Vx{{r{x) V p{x)) ^ q{x)) 

= Wx{r{x) — > q{x)) A Vx{p{x) — *■ q{x)) 
= c A Vx{p{x) — > q{x)) 

whence wp' — Vx{p{x) q{x)). In the next sec- 
tion, wc will apply this simplification in a systematic 
way, and implement it via a confluent and terminating 
rewriting system for weakest preconditions. □ 

3 Relational databases 

In the present section, we define a confluent terminat- 
ing rewriting system which, starting from c and u, au- 
tomatically derives a simplified weakest precondition 



wp{c, u). The idea imdcrlying the simplification is the 
same as in [LTW93, L98]: it consists in transforming 
the wp into the form wp = cAwpi, and to take advan- 
tage of the truth of c in the initial database to replace 
wp by wpi. However, 

1. it is not clear in [LTW93, L98] how far this sim- 
plification is carried on, and 

2. this simplification is carried on by the user. 
On the other hand, in our case, the simplification 

1. is itcratively applied until no further simplifica- 
tion is possible, and 

2. is performed automatically. 

It is noted in [LTW93] that constraints involving 
existential quantifiers cannot be simplified: e.g. let 
c be the constraint 3xr{x) and let u be the update 
deletefi{a); then wp{c, u) — 3x[r{x) A^{x ~ a)) which 
cannot be simplified. Hence, for the simplification to 
be possible, we will assume the following restrictions 
to our language: 

1. constraint c and conditions cond are universal 
sentences, and 

2. the qualifications are formulas without 
quantifications. 

Recall that a clause is a sentence of the form c = 
Vx (Zi V Z2 V ... V Im) where the ks are literals. Without 
loss of generality, we can restate our hypotheses as 

1. constraint c is a single clause; indeed if c = 
Vx {Di A £>2 A ... A Dn) is in conjunctive normal 
form, then we can replace c by the n constraints 
VxDi which are clauses and can be studied inde- 
pendently. 

2. the qualifications <I>(x) arc conjunctions of literals; 
we can write $(x) = $i(x) V $2(x) V ... V $„(x) 
in disjunctive normal form, and we replace the 
instruction qualified by $(a;) by a sequence of 
similar instructions qualified by $i(x), ^2{x),. . ■ , 
$„(x). 

3. the conditions cond are single clauses: assum- 
ing as above that cond = Vx{Di A D2 A 
... A Dn) is in conjunctive normal form, we let 
condi — VxDi and we replace e.g. if cond 
then inst by if condi then (if cond2 then 
( . . . (if condn then inst) . . . ) ) 

Note that in many practical cases, constraints are in- 
deed given by clauses, even quite simple clauses involv- 
ing just 2 or 3 disjuncts, and the restrictions on cond 
and $(x) are also satisfied. 

We will use the following notation: let S* be a set of 
clauses and r a predicate symbol; Resr{S) is the set 
of simplified binary resolvents of pairs of clauses in S 
such that 

1. each resolvent is obtained by a unification involv- 
ing r. 
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2. if the resolvent contains a literal of the form -^{x = 
a) (which we write asx^a), then the resolvent is 
simplified by deleting that literal and substituting 
a for X in the resolvent. 



Ri : wp{insertii^, c) — > c[+r ^ r U </>] 

if ReSric,rV -'(f>) = 

R2 : wp{insertR^, c) — > c[+r ^ r U (/>]A 

/\ wp{insertR^,Cj) otherwise 

Cj ^ReSj. (c,rV-i0) 

R3 : wp{deleteii<^, c) — > c[— r — * -ir U ^] 

if Resr{c, -.r V -.^) = 

R4 : wp{deleteii^,c) — > c[—r ^ -ir U 

wp{deleteji<^,Cj) otherwise 

CjGReSr- {c,^rV->4>) 

R5 : ■wp{Iz,c) — > ■u;p(ii, (wp(i2,c)) 

Re : wp{Ii, c) — >(^cond A wp{instl, c)) 

\/[^cond A wp{inst2, c)) 
R7 : wp{u, -ic) — > -iwp{u, c) 

Rg : wp{u,ciAc2) — > wp{u,ci) Awp{u,C2) 

Rg : Ci V C2) — >■ Ci) V C2) 



Example 2 1. Let 5* = {^r{x,y) V q{y,z) , r{x,y) V 
-■9(3:^, 2/)}; then ReSriS) = {q(y, z) V ^(j(x, y)}. 

2. Let S = {-ir(x, y) V -ir(x, z) V q{y, z) , r(a;, y) V 
{{x,y) ^ (a, 6))}; then the binary resolvents obtained 
by unifying over predicate r all pairs of clauses in S 
are 

{ -nr{x,z)\/ q{y,z)\/ {{x,y) ^ {a,b)) , 
-^r{x,y')yq{y',y)y{{x,y)i={a,b)) } 

they are then simplified into 

ReSr{S) = {-r(a, z) V q{b, z) , -r(a, y') V 6)}.n 

The idea governing our simplification method is as 
follows: we define a rewriting system with rules of the 
form 

wp{u,c) — i- l\wp{u,Ci) 
wp{u, c) — > c' 

and with the property that all formulas in a deriva- 
tion arc logically equivalent. Rewriting steps consist 
in computing the instances of the constraint which 
could be modified by the update. Let us define the 
following abbreviations: we write insert for up- 
date Ii : foreach x : do insertn^x), and we 
write r\/^(j) instead of \tx(^R{x) V Similarly, 
deletea^, (resp. -ir V -^(j)) abbreviates I2 '■ foreach 
X : ^{x) do deleteR{x), (resp. Vx(-^R{x) V -i$(x))). 
In updates insertR^ or deletcR^, we may assume that 
r does not occur in $: indeed any occurrence of r in <I> 
is preventively renamed before applying our rewriting 
rules. 

Then our rewriting system consists of the nine rules 
given in Figure 1, where /1-/4 are defined in Definition 
1, c is a clause and Ci, C2 are universal sentences: 
Theorem 2 1. The rules given in Figure 1 define a 
terminating and confluent rewriting system. 

2. The weakest precondition generated by our system 
is in the form wp = swp A c' , with c' such that c => 
c'; if c holds, wp can he simplified into the weakest 
precondition swp which is weaker than wp, the weakest 
precondition defined in Theorem 1. 
Proof idea: Rules are repeatedly applied till saturation, 
i.e. until an explicit form to which no rule applies is 
obtained. 

1. The termination is proved by structural induc- 
tion: each subformula wp{i,Cj) derived from wp{i,c) 
either is in an explicit form, or has a Cj which is strictly 
smaller than c. Confluence follows from the fact that 



Figure 1: Simplification rules 

each wp{u, c) has a unique derivation (up to the order 
in which the rewritings are applied). 

2. Wc prove by induction that our rewriting sys- 
tem generates a wp in the form wp = swp A c' , with 
c' such that c =^ c' holds. Therefore, taking into ac- 
count that c holds in we can simplify wp into swp, 
and wp swp holds. Because wp is equivalent to 
the weakest precondition of Theorem 1, and because 
the weakest preconditions of [LTW93, L95, L98] and 
of Theorem 1 are equivalent, swp is simpler than the 
weakest preconditions of [LTW93, L95, L98] and The- 
orem 1. Example 3 1 shows that swp 7^=^ wp, i.e. our 
swp can be strictly simpler than wp.D 
Example 3 1. Let c = Va;, y, z {{p{x, y) A q{y, z)) — »■ 
{p{x, z) V q{x, z))) and let i = foreach x, y : (x, y) = 
{a, a) do insertp{x,y), i.e. $(a;) is {x,y) = {a, a), 
then the method of [LTW93] gives 

wp{i,c) = '\/x,y,z {{{p{x,y)V {x,y) = {a,a)) Aq{y,z)) 
— > {{p{x, z) V (x, y) = (a, a)) V q{x, z))) 

and our method gives the sequence of rewritings: 

wp{i,c) — {^q{a,z)y p{a,z)y q{a,z)) 

Ac[+p ^pU{x,y) = {a, a)] 
{^q{a, z) V p{a, z) V q{a, z)) (2) 
— »■ true (3) 

The simplification of line 2 is obtained by taking into 
account the fact that c holds in B, hence c[+p p[J 
{x, y) = {a, a)] also holds. Because -^q{a, z) V q{a, z) = 
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true, our simplified weakest precondition equivalent to 
true and we obtain line 3. 

2. Consider again Example 1 2. We have the se- 
quence o£ rewritings, where we have underlined the 
rewritten term whenever a choice was possible: 

wp{{ii;i2),c) — wp{ii,wp{i2,c)) 

— >H2 wp{ii,c Awp{i2,^p\/ q)) 
— 'Ri wp{ii,c A {^pW q)) (4) 
— ^_Rs wpih, c) A wp{ii, {-'pVq)) 
— >_R3 wp{ii,c) A {^pV q) 
— 'R3 ^ -T U s] A {^p V q)) 

hp V q) 

Note that line 4 gives us the simplified form of the 
weakest precondition of Example 1 1, (see Remark 2). 
The last simplification is obtained by taking into ac- 
count the fact that c holds in B, hence c[—r ^ ^rUs] 
also holds. 

3. Let c = Vx, y, z y) V ^p{x, z) V q{y, z)) and 
let i = foreach x,y : {x,y) = {a,b) do insertp{x,y), 
then our method gives: 

wp{i,c) — wp{i,^p{a,z)y q{h,z)) 

Awp{i, -np{a, y) V q{y, b)) A c 

— % wpii, q{b, h)) A {^p{a, z) V q{h, z)) 
A{^p{a,y)V q{y,b)) Ac 

— 'Ri q{b,b)A{-^p{a,z)Vq{b,z)) 

A{-^p{a,y)yq{y,b)) Ac (5) 

(where — means that several — rewriting steps 
are performed); assuming c holds in we can sim- 
plify 5 into swp = \ly, z q{b, b) A {-'p{a, z) V q{b, z)) A 
{^p{a, y)\/q{y, b)) which is to be verified in B. Assum- 
ing c holds in B, the methods of [N82, BDM88, BD88] 
yield the postcondition Vy, z (-ip(a, z) V g(6, z)) A 
{^p{a,y) V q{y,b)) which must be verified in the up- 
dated database i{B). [BDM88, BD88] go one step fur- 
ther: embedding B in a deductive framework, they 
simulate the evaluation of the postcondition via pred- 
icates delta and new which are evaluated in B before 
update i is performed. 

4 Deductive Databases 

We now extend the definition and verification of 
a weakest precondition wp{u, c) to the deductive 
database setting, where both c and u can be defined by 
DATALOG programs. We chose DATALOG because it 
is the best understood, most usual and simplest setting 
for deductive databases. We will first define our frame- 
work, the weakest preconditions, and then we will give 
heuristics for 



1. proving that the weakest precondition holds with- 
out actually evaluating it 

2. computing simplified weakest preconditions. 

Recall that on a language consisting of the EDBs 
ri , . . . , Tfe and new predicate symbols qi, . . . ,qi -called 
intensional predicates (or IDBs)-, a DATALOG pro- 
gram P is a finite set of function-free Horn clauses, 
called rules, of the form: 



qiyi,-,yn) < — qi{yi,i,-,yi,ni 



qp{yp,ij ■■■■> VptUp) 



where the yiS and the yijs are either variables or con- 
stants, q is an intensional predicate in {qi,...,qi}, 
the qiS are either intensional predicates or extensional 
predicates. 

In our framework, both updates and constraints range 
over deductive queries, possibly involving recursion. 
Formally, updates and constraints are defined as in 
Section 2, but in addition: 

• the qualifications $(x) in both insert and delete 
statements are conjunctions of literals which may 
contain atoms defined by recursive DATALOG 
programs, 

• similarly, constraints c and conditions cond in if 
- then - else statements may contain atoms 
defined by recursive DATALOG programs: con- 
straints and conditions are general clauses, but 
the atoms occurring in them are defined by Horn 
clauses. 

The definition of the weakest preconditions extends 
easily: we follow here the approach of [L95] . 
Notation 1 1. Let Q and R be relations appearing 
in a DATALOG program P, and respectively corre- 
sponding to the predicate symbols q and r: q is said 
to depend directly on r if g = r or if r appears in the 
body of a rule defining q; q is said to depend on r if g 
depends directly on r, or 5 depends directly on q' and 
q' depends on r. 

2. Let be the program obtained by adding to P 
new IDB symbols q' for each predicate q depending on 
r, and new rules; for each rule p of P defining an IDB q 
depending on r, a new rule p' defining q' is added: p' is 
obtained from p by substituting s' for each occurrence 
of a symbol s depending on r (hence r' is substituted 
for each occurrence of r). If r is an EDB predicate, we 
add a new IDB symbol r', but there is no rule defining 
r' yet: the rules defining r' depend on the update and 
will be given later. 

3. c[r — > r'] denotes c where all the predicates de- 
pending on r (including r when r is an EDB) are re- 
placed by the corresponding primed predicates. □ 

We will assume the following hypotheses: 
Hi: the qualifications >I'(x) are conjunctions of literals, 
and all the rules defining the IDBs in constraint c. 
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qualifications ^{x) and conditions cond are given 

in program P. 

H2: in statements of the form foreach x : do 
insertii{x), or foreach x : ^{x) do deleteii{x), 
none of the literals in ^{x) depends on r. 

Theorem 3 Assume constraint c and instruction i 
satisfy Hi and H2 , then the formulas defined below are 
weakest preconditions for c and i. 

1. wp(foreach x : do insert nix) , c) = c[r — > 
r'] where the program, defining the IDBs is PinsertR^ ~ 
P; U {r'{x) < — r(x) , r'{x) < — 

2. wp(foreach x : do deleteR{x),c) — c[r — > 
r'] where the program defining the IDBs is P'j^^i^ten<i> ~ 

P; U {r'{x) < r{x) A -^t{x) , t{x) < — with t a 

new IDE predicate, 

3. wp{{ii-,i2),c) = wp{ii,{^vp{i2,c)), 

4- wp{if cond then instl else inst2,c) = (condA 
wp{instl, c)) V (-iconrf A wp{inst2, c)) . 
Theorem 3 calls for some remarks. 

1. When none of r, c or $ is recursive, we obtain 
again the weakest preconditions of Theorem 1. 

2. Our definition of insertions is quite liberal, al- 
lowing us to add new rules, which is not permitted in 
[L95]. Similarly, deletions can suppress tuples, sets of 
tuples or even rules. 

3. Deletions and/or qualifications $ containing 
negations force us out of the DATALOG framework, 
because the weakest precondition of foreach x : 

do deleteii{x) and constraint c is defined by 
the DATALOG^ program U {r'{x) < — r(x) A 
-^t{x) , t(x) < — ^{x)}; this was already noted in 
[GSUW94]. In [L95, LST87] a stratified DATALOG^ 
framework is assumed: this ensures that both the con- 
straint and the wp are expressible in the same frame- 
work. 

4. In what follows, we will consider only inser- 
tions and positive qualifications in order to be able 
to express both constraints and their wps in DATA- 
LOG. The wps defined in Theorem 3 are correct with- 
out this restriction, but they are defined by stratified 
DATALOG" programs, and not by Horn clauses. 
Example 4 Let c be the constraint Vx, y ^tc{x, y) V 
i{x, y), where i does not depend on tc. and consider the 
update foreach x,y : path{x,y) do insertrcix^y), 
where all the predicates are defined by program P: 



P < 



tc{x, y) < — arc{x, y) 

tc{x,y) < — arc{x,z) , tc{z,y) 

path{x,y) < — edge{x,y) 

path{x,y) < — edge{x,z) , path{z,y) 

y) < — body{x, y) 



the rules 6 and 7. 

tc'{x,y) 
tc'(x,y) 



arc{x, y) (6) 
arc{x,z) , tc'{z,y) (7) 



and P'insertTcpath ^/c together with the rules 8 and 
9. 



tc'{x,y) 
tc'{x,y) 



tc{x,y) 
path{x, y) 



(8) 
(9) 



Finally, wp{u, c) = Vx, y ^tc'{x, y) \/i{x, y), where TC 
is defined by PLsert^aPath = ^ U {6, 7, 8, 9}. 

We now turn our attention towards the goal of prov- 
ing that the weakest precondition holds without actu- 
ally evaluating it. One method is to show that 



wp{u, c) 



(10) 



The problem is that implication 10 is undccidablc ex- 
cept in some special cases: e.g., if both c and wp{u, c) 
are unions of conjunctive queries, and at least one of 
them is not recursive [C91, CV92]; some special classes 
of formulas for which 10 is decidable are studied in 
[M97] . So we can only hope for heuristics to find suffi- 
cient conditions ensuring that implication 10 will hold. 
The idea, coming from Dijkstra's loop invariants [D76] , 
consists in proving 10 by recursion induction, without 
actually computing wp{u, c). We illustrate this idea on 
an example. 

Exemiple 5 Let c be the constraint Va;, y -^tc{x, y) V 
i{x, y), where / and TC are defined by P: 

tc{x,y) < — arc{x,y) (11) 

tc{x,y) < — edge{x,y) (12) 

tc{x,y) < — arc{x,z) , tc{z,y) (13) 

i{x,y) < — ii{x,zi),edge{zi,Z2),ii{z2,y) {14:) 

iiix,y) < — arc{x,z) , ii{z,y) (15) 

ii{x,y) < — edge{x,z) , ii{z,y) (16) 

ii{x,x) < — (17) 

and consider the update u = foreach x,y : 

edge{x,y) do insert Arc{x,y)- Then wp{u,c) = 
Va;, y -^tc'{x, y)\/i{x, y), where / and TC are defined by 



PL 



insert Arc^' 



^g^, consisting of P together with the rules 



(because I' = I here): 



arc'{x, y) 
arc'{x, y) 
tc'{x,y) 
tc'{x,y) 



arc{x, y) 
edge{x, y) 
arc'{x,y) 

arc'{x,z) , tc'{z,y) 



Then P/^ is P together with a new predicate tc' and 



We prove that c =^ wp{u, c) by induction. To this 
end, let C[B] = (P C /); we note that c holds 
iff C[TC] holds, and wp{u,c) holds iff C[TC] holds. 
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Let 03 denote the eomposition'^ of binary relations. 
It thus suffices to prove that, for any R, C[R] 
C[Arc' U ^rc' CXI i?] to conclude, by fixpoint induction, 
that C[TC'] holds. 

We now show that, if c holds, then C[i?] =J> 
C[Arc' U Arc' CXI ij] holds. Assume that C[R] holds. 
Because c holds, C[TC] holds. Note that C[Arc' U 
Arc't^R] reduces to the conjunction of C[Arc], 
C[j4rctxii?], C[Edge\, C[Edget<\R]; each of the con- 
juncts is easy to verify: for instance C\Arc\ holds 
because Arc c TC by rule 11 and because C\TC\ 
holds; C[Arcb<\R\ holds because C[R\ holds, and be- 
cause of rules 14, 15, 14, and similarly for C\Edge\ and 
C[Edget<iR]. □ 

We now study the computation of simplified weakest 
preconditions, in the case of insertion updates. The ba- 
sic idea is quite simple and comes from the semi-naive 
query evaluation method in DATALOG (see [AHV95]). 
We design a DATALOG program computing all new 
facts deduced from the insertion update (and prefer- 
ably only new facts) and we verify the constraint on 
the new facts computed by that program. The method 
of [BD88] is based on a similar idea. We will sketch this 
method on an example, simple, but useful, where the 
constraint is c = -Bx tc{x,x) where TC is a transi- 
tive closure. Such a constraint is used, for instance, 
to check that a set of DATALOG clauses defines a 
non recursive program by verifying that the precedence 
graph of the IDBs occurring in the program has no cy- 
cle. We want to check that adding a new clause does 
not create recursions, i.e. cycles. Adding a new clause 
corresponds to an insertion update. 
Example 6 Consider the update insert Arc{d,h), and 
let c be the constraint -Bx tc{x,x), where TC is de- 
fined by program P: 

tc{x, y) < — arc{x, y) 
tc{x, y) < — arc{x, z) , tc{z, y) 

We assume that constraint c is verified by database B. 
Let ^tc{x,y) be the potentially new facts which will 
be inserted in TC as a consequence of the update. The 
IDE predicate 6tc corresponding to Ajc is defined by 
the DATALOG program: 



P' 



tc{x, y) 
tc{x,y) 
Stc{d, b) 
Stc{d,y) 
Stc{x,y) 



arc{x, y) 
arc{x, z) 



tc{z,y) 



tc{b, y) 

arc{x,z) , 6tc{z,y) 



The weakest precondition wp{c, insert Arc{d, h)) then is 
-i3a; 5tc{x, x), which can be evaluated by SLD-AL reso- 

^cxi performs an equijoin on the second attribute of the first 

relation and the first attribute of the second relation, followed 
by a projection on the first and third attributes. 



lution [V89] . The weakest precondition of [L95] and of 
Theorem 3 would be in the present case Sx tc'{x,x) 
where TC is defined by the program PlnsertA^ 



pi 

insert Ar-dd^h) 



tc{x,y) 
tc{x,y) 
tc'{x,y) 
tc'{x,y) 
arc'{x, y) 
arc'{d,b) 



arc{x, y) 

arc{x,z) , tc{z,y) 
arc'{x, y) 

arc'{x, z) , tc'{z, y) 
arc{x, y) 



The program P' of Example 6 can be obtained by an 

algorithm: the idea is to compute the rules defining 
new facts by resolution with the inserted atoms (simi- 
lar to the idea of 'refutation with update as top clause' 
of [SK88]). A saturation method [AHV95, BDM88, 
SK88, LST87] is used to generate the new rules, i.e. we 
add rules until nothing new can be added. To simplify 
the notations, we give the algorithm in the case when 
the update is of the form insert ji{dj) ior j = 1, . . . , k, 
with r an EDB predicate, and the constraint is of the 
form -i3x t{x) with t an IDB, possibly depending on 
r, defined by a linear DATALOG program. 

Algorithm. Inputs: update u = insert ji{dj) for 
j = l,...,fc, constraint c = Sx t{x), and a linear 
DATALOG program P defining relation T. 
Outputs: A simplified wp(u,c), and a DATALOG 
program P' defining wp{u,c). 

Step 1: For each IDB q oi P depending on r, let 
6g be a new IDB; let 11 be the set of rules defined as 
follows: for each rule q < — body of P whose head q 
depends on r add in 11 a rule 6q < — body. If 11 is 
empty, then update u is safe; STOP. 

Step 2: Let Pi = {Res{p,r{d~)) / p e n,j = 
1, . . . , fc} be the set of resolvents of rules of 11 with 
updated atoms. If Pi is empty, then update u is safe; 
STOP. 

Otherwise, generate new rules as follows: 

i := _1 WHILE Pi 7^ DO P^+i = 

{Res{p,r{dj)) / p G Pi,j = l,...,k} ; i := i + 1 

ENDDO 

Let P' = up. 

Step 3: Let Si be the set of rules of 11 which contain 
an IDB q depending on r in their body. If Ei is empty, 
then wp{u, c) = ^3x St{x), and program PUP' defines 
At; STOP. 

Otherwise, generate new rules as follows: let PI' be 
obtained from Si by substituting Sq for q in the bodies 
of the rules of Si; only new predicates Sq appear in 
rules of Pi". 

i := 1 WHILE PI' 7^ DO 
{Res{p,r(d])) I p e PI', 3 = l,...,k] ; i:=i + l 
ENDDO 

Let P" = UP". 



P" 
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wp{u,c) = -Bx 5t{x), and program P U P' U P" 
defines At; STOP.D 

The WHILE loops in steps 2 and 3 terminate, be- 
cause at each iteration step the number of atoms 
involving r decreases in the rules. This algorithm 
can generate rules which might be useless in some 
cases: e.g., in Example 6, the useless rule 5tc{d, y) < — 
5tc{b,y) would be generated. This algorithm can be 
generalized to non linear DATALOG programs, and to 
more general insert instructions. 

When the insertion is defined by a (possibly recur- 
sive) qualification, we can similarly compute the po- 
tentially new facts to be inserted as a consequence of 
the update. Consider the program P and the update 
u = foreach x,y : path{x,y) do insertTc{x,y) de- 
fined in Example 4, and let c be constraint -<3x tc{x, x) . 
The potentially new** facts Atc{x, y) which will be in- 
serted in TC are defined by the DATALOG program 
P': 



P' 



P 

5tc{x,y) ^ edge{x,y) 

Stc{x,y) <- edge{x,z) , tc{z,y) 

Stc{x,y) ^ edge{x,z) , 6tc{z,y) 

Stc{x, y) <- arc{x, z) , Stdz, y) 



The weakest precondition wp{c, insert ArcPath) is 
again -Bx 5tc{x,x). 

The method of [L95] and of Theorem 3 would now 
give the weakest precondition -i3x tc'{x, x) where TC 
is defined by the program P^„,ert^.eedge' namely: 



P' 



P 

tc'{x,y) 
tc'{x,y) 
arc'{x, y) 
arc'{x, y) 



arc'{x,y) 
arc'{x, z) , 
arc{x, y) 
path(x, y) 



tc'{z,y) 



5 Conclusion and discussion 

In the relational case, wc devised a systematic method 
for computing a simplified weakest precondition for a 
general database update transaction u and a constraint 
c. This yields an efficient way of ensuring that the up- 
date maintains the truth of the constraints. In the 
deductive case, we studied two methods: the first one 
consists in proving by fixpoint induction that c ==> 
wp{u, c) holds without evaluating wp{u, c); the second 
one consists in defining, for insertion updates and con- 
straints c of the form -3x q{x), a constraint c' simpler 



^Soine new facts could be already present in the old database 
or could be generated twice; this is unavoidable, unless we are 
willing to perform a semantical analysis of the program which 
can be expensive. 



than wp{u, c) and such that c ^c' <^=^ wp{u, c)^ ; 
this is a first step towards one of the goals stated in 
the conclusion of [BGL96]. 

The idea of our method is to preventively check 
only relevant parts of the precondition which are gen- 
erated using saturation methods. We preventively 
check a weakest precondition before performing the up- 
date, and perform the update only when the weakest 
precondition ensures us that it will be safe (see also 
[BDM88, LTW93, L95, L98]); complex updates are 
also considered a whole, rather than separately, thus 
generating simpler weakest preconditions. Following 
the method initiated in [N82], we check only the rele- 
vant part of the weakest precondition (i.e. those facts 
potentially affected by the update); to this end, we 
preventively simplify the weakest precondition by us- 
ing a resolution method: we separate in the weakest 
precondition the facts which reduce to c (assumed to 
hold) from the 'new' facts which have to be checked 
(see also [BDM88, N82, SK88]). 

Our update language is more expressive than the 
ones considered in [BS98, BDM88, LST87, N82] in that 
we allow for 1. more complex updates, inserting or 
deleting sets defined by a qualification which is a uni- 
versal formula, 2. conditional updates, 3. complex 
transactions, and 4. recursively defined updates and 
constraints. The language of [BS98] has an additional 
statement for one x where cond do inst which can 
be simulated in our language; in addition it is object- 
oriented, as are the languages of [L95, L98]. Our up- 
date language is in some respects more user-friendly 
than the one considered in [L95, L98] (because we al- 
low for conditional updates, and, in the deductive case, 
we allow for insertions or deletions of rules); in some 
respects it is less expressive (because our qualifications 
are universal formulas instead of arbitrary first order 
formulas in [L95, L98, M97]); our system has been 
extended to allow for some existential quatifiers and 
in practice, our qualifications suffice to model usual 
update languages. This slight loss in expressivity en- 
ables lis to explicitly and effectively give an automatic 
procedure for generating a simplified weakest precon- 
dition, implemented via a terminating term rewriting 
system. [LTW93. L98] give only sufficient conditions 
under which simplifications are possible, and state the 
existence of a simplified weakest precondition, without 
giving an algorithm to compute it. 

The parallel time complexity for computing wp{u, c) 
is linear in the total size of the formulas involved 
(constraint, qualification, etc.). The maximum size of 
wp{u, c) is also linear in the size of the formulas in- 
volved, except for the case of an update of the form 
insertji^ paired with a constraint c containing A: > 1 
occurrences of -ir, when a blow-up exponential in k 
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may occur in the size of wp{u, c) (and similarly for 
deletCR^ with A: > 1 occurrences of r in c). 

Because our weakest precondition is defined inde- 
pendently of whether c holds in and is then simpli- 
fied by taking into account whether c holds in B, our 
approach can be extended to handle changes in the 
integrity constraints. Further steps would be: 

1. to apply semantic query optimization techniques 

for recursive programs [CGM90, M98] to simplify 
even more our simplified weakest preconditions; 

2. to incorporate in our language complex updates 
(e.g. modifications, exchanges); 

3. to generalize our algorithms to allow for con- 
straints which are not given by clauses. 
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